You are not logged in.

#1 2013-08-07 05:35:43

jonalvarezz
Member
From: Colombia
Registered: 2013-08-07
Posts: 5

[Solved] Can't run php scripts in chroot Nginx

Hi everybody!

I have a fresh installation of Chroot Nginx following Nginx - Archlinux wiki.

Nginx's welcome page is served with no problems, however i'm getting issues with .php files.

if i doesn't put a root path in the php block of nginx configuration file:

location ~ \.php$ {
                try_files $uri = 404;
                fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
}

I get a 404 Error message. (Nginx Log)

Instead, if i define the root path:

location ~ \.php$ {
                try_files $uri = 404;
                root   /usr/share/nginx/html;
                fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
                fastcgi_index index.php;
                include fastcgi.conf;
}

I get the error message: "An error occurred. Sorry, the page you are looking for is currently unavailable. Please try again later." (Nginx Log)


I've tried different php block configurations like:

  • Using fastcgi_pass 127.0.0.1:9000;

  • Using fastcgi_pass localhost:9000;

  • Using fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;

With no luck.

open_basedir in /etc/php/php.ini already include /usr/share/nginx/html

open_basedir = /usr/share/webapps/:/srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/nginx/html

There are my conf files:

Some outputs:
ps -C nginx | awk '{print $1}' | sed 1d | while read -r PID; do ls -l /proc/$PID/root; done

lrwxrwxrwx 1 root root 0 Aug  7 00:22 /proc/451/root -> /srv/http
lrwxrwxrwx 1 http http 0 Aug  7 00:22 /proc/452/root -> /srv/http

ps -ef|grep php-fpm

root       363     1  0 Aug06 ?        00:00:03 php-fpm: master process (/etc/php/php-fpm.conf)              
http       364   363  0 Aug06 ?        00:00:00 php-fpm: pool www                                            
http       365   363  0 Aug06 ?        00:00:00 php-fpm: pool www                                            
root       459   438  0 00:22 pts/0    00:00:00 grep php-fpm

Wondering if php files, or php-fpm socket must to be copied to respective jail path.

Any ideas?

Thanks you so much.

Last edited by jonalvarezz (2013-08-07 18:06:15)

Offline

#2 2013-08-07 18:05:46

jonalvarezz
Member
From: Colombia
Registered: 2013-08-07
Posts: 5

Re: [Solved] Can't run php scripts in chroot Nginx

Solved.

Php-fpm must to be configured to use a chroot directory.


In /etc/php/php-fpm.conf

make sure to set the chroot variable.

chroot = /srv/http

In order to connect php-fpm socket, FastCGI must to be listen the TCP socket.

listen = 127.0.0.1:9000

Using Unix socket doesn't connect, if somebody success it, please tell me since unix socket is faster.

Adjust your Nginx configuration file

this is my php block in nginx.conf

location ~ \.php$ {
                try_files $uri = 404;
                root   /usr/share/nginx/html;
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                include fastcgi.conf;
}
Restart services
# systemctl restart php-fpm
# systemctl restart nginx

Enjoy.

Offline

#3 2013-08-26 00:08:56

Gregosky
Member
From: UK
Registered: 2013-07-26
Posts: 173

Re: [Solved] Can't run php scripts in chroot Nginx

Hi,

I have built similar stack on my devel box and found out there is another alternative to your config.

Instead of using tcp socket the one might want to ask php-fpm to create its socket in /run/php-fpm directory of nginx's chrooted jail.

(...)
pid = /path_to_nginx_jail/run/php-fpm/php-fpm.pid
(...)
listen = /path_to_nginx_jail/run/php-fpm/php-fpm.sock
(...)

I'm not sure how will it affect whole security concept though.

Last edited by Gregosky (2013-10-29 13:56:37)

Offline

#4 2013-10-29 04:00:25

gustopn
Member
Registered: 2013-10-29
Posts: 1

Re: [Solved] Can't run php scripts in chroot Nginx

Gregosky wrote:

I'm not sure how will it affect whole security concept though.

PHP is the security problem because PHP can do harm. It is highly unlikely that nginx would do anything to your system.
PHP on the other hand has the ability to read and write files on the system, so it has to be chrooted (at least), so that
people are not able to do lots of harm by reading out files other or overwriting configurations.

Nowadays especially on this virtualized servers I find the chrooting of nginx an overkill, because there are bigger security issues.

Then putting a nginx into a jail makes limited sense too. Likewise having a jail for only running a PHP process may be a good idea
but is an overkill too as long as you can simply chroot it and so prevent it from writing or reading parts of the system you do not
want it to access (jail does the same).

PS: As far as i can see from your code examples, you were trying to access the jail from outside the jail, that makes no sense too,
because then you are breaking the whole point of running software in a jail. When you make it possible to access the jail or even the
whole system by other software, why do you then need the jail for? Someone who does want to cause you harm would surely go for
the entire thing instead of playing around with one jail.

Offline

#5 2013-10-29 13:51:42

Gregosky
Member
From: UK
Registered: 2013-07-26
Posts: 173

Re: [Solved] Can't run php scripts in chroot Nginx

Hi,

Many thanks for your great answer.

In my case nginx is built according to arch linux wiki (link)

Apart from that I have used a php-fpm >>chroot<< option mentioned by jonalvarezz. The only difference is that I decided to go for unix sockets rather than tcp sockets (a lot of comments on the internet are suggesting unix sockets are faster).

So in the end I have both nginx and php-fpm chrooted into same directory. There is just the case with php-fpm configuration where I configured it to drop socket into /run of that chroot. For that I have had to provide absolute path. So in fact this configuration looks like that:

(...)
chroot = /path_to_nginx_jail
(...)
pid = /path_to_nginx_jail/run/php-fpm/php-fpm.pid
(...)
listen = /path_to_nginx_jail/run/php-fpm/php-fpm.sock
(...)

Thanks again,
Greg

Last edited by Gregosky (2013-10-29 13:56:16)

Offline

#6 2013-12-17 07:14:42

solar
Member
Registered: 2011-03-01
Posts: 77

Re: [Solved] Can't run php scripts in chroot Nginx

@greg

It seems to work fine here without placing the pid inside the jail, just the socket and the chroot def. Since php-fpm is being launched in host, I am not sure I would place the pid inside the jail.

The nginx pid is placed inside the jail, as per wiki, which makes sense, since it needs to access the pid file.

php-fpm being outside doesn't, thus I don't think you should place it within the jail.

But I am a total noob with these things , so everything I say might be wrong smile


I am hilariously insane. yup. you won't notice though.. I promise...I think.

Offline

#7 2013-12-17 15:28:49

Gregosky
Member
From: UK
Registered: 2013-07-26
Posts: 173

Re: [Solved] Can't run php scripts in chroot Nginx

@solar, many thanks for your comment - it makes sense to myself. If somebody finds the way through php then certainly I would not want such person to know anything that runs outside chroot.

Offline

Board footer

Powered by FluxBB